From 01d012473d4311d4f4e5a0831d912bc4b8c61639 Mon Sep 17 00:00:00 2001 From: tdback Date: Sat, 11 Jan 2025 19:08:14 -0500 Subject: feat: use unbound as a recursive DNS resolver. retire blocky --- flake.nix | 2 +- hosts/heimdall/default.nix | 2 +- modules/retired/blocky/default.nix | 93 +++++++++++++++++++++++++++++++++++++ modules/services/blocky/default.nix | 93 ------------------------------------- modules/services/dns/default.nix | 26 +++++++++++ 5 files changed, 121 insertions(+), 95 deletions(-) create mode 100644 modules/retired/blocky/default.nix delete mode 100644 modules/services/blocky/default.nix create mode 100644 modules/services/dns/default.nix diff --git a/flake.nix b/flake.nix index b6ac68a..1462d06 100644 --- a/flake.nix +++ b/flake.nix @@ -58,7 +58,7 @@ } { type = "services"; - modules = [ "blocky" "searx" "ssh" ]; + modules = [ "dns" "searx" "ssh" ]; } ]) (mkSystem "odin" inputs.nixpkgs [ diff --git a/hosts/heimdall/default.nix b/hosts/heimdall/default.nix index 50bbbaf..7aed928 100644 --- a/hosts/heimdall/default.nix +++ b/hosts/heimdall/default.nix @@ -37,6 +37,6 @@ programs.motd = { enable = true; networkInterfaces = lib.lists.singleton "eno1"; - servicesToCheck = [ "blocky" "searx" ]; + servicesToCheck = [ "searx" "unbound" ]; }; } diff --git a/modules/retired/blocky/default.nix b/modules/retired/blocky/default.nix new file mode 100644 index 0000000..ca58f4f --- /dev/null +++ b/modules/retired/blocky/default.nix @@ -0,0 +1,93 @@ +{ pkgs, ... }: +{ + services.blocky = { + enable = true; + package = pkgs.blocky; + settings = { + upstreams = { + init.strategy = "fast"; + groups.default = [ + "9.9.9.9" + "149.112.112.112" + ]; + }; + bootstrapDns = [{ + upstream = "https://dns.quad9.net/dns-query"; + ips = [ "9.9.9.9" ]; + }]; + ports = { + dns = 53; + tls = 853; + https = 443; + }; + blocking = { + denylists = { + ads = [ + "https://adaway.org/hosts.txt" + "https://v.firebog.net/hosts/AdguardDNS.txt" + "https://v.firebog.net/hosts/Admiral.txt" + "https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt" + "https://v.firebog.net/hosts/Easylist.txt" + "https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext" + "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/UncheckyAds/hosts" + "https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts" + ]; + malicious = [ + "https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt" + "https://v.firebog.net/hosts/Prigent-Crypto.txt" + "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Risk/hosts" + "https://phishing.army/download/phishing_army_blocklist_extended.txt" + "https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt" + "https://raw.githubusercontent.com/Spam404/lists/master/main-blacklist.txt" + "https://raw.githubusercontent.com/AssoEchap/stalkerware-indicators/master/generated/hosts" + "https://urlhaus.abuse.ch/downloads/hostfile/" + "https://v.firebog.net/hosts/Prigent-Malware.txt" + ]; + other = [ + "https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser" + ]; + suspicious = [ + "https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADhosts.txt" + "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Spam/hosts" + "https://v.firebog.net/hosts/static/w3kbl.txt" + "https://raw.githubusercontent.com/matomo-org/referrer-spam-blacklist/master/spammers.txt" + "https://someonewhocares.org/hosts/zero/hosts" + "https://raw.githubusercontent.com/VeleSila/yhosts/master/hosts" + "https://winhelp2002.mvps.org/hosts.txt" + "https://v.firebog.net/hosts/neohostsbasic.txt" + "https://raw.githubusercontent.com/RooneyMcNibNug/pihole-stuff/master/SNAFU.txt" + "https://paulgb.github.io/BarbBlock/blacklists/hosts-file.txt" + ]; + tracking-telemetry = [ + "https://v.firebog.net/hosts/Easyprivacy.txt" + "https://v.firebog.net/hosts/Prigent-Ads.txt" + "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.2o7Net/hosts" + "https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt" + "https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt" + "https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt" + "https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/android-tracking.txt" + "https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV.txt" + "https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/AmazonFireTV.txt" + "https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt" + ]; + }; + clientGroupsBlock.default = [ + "ads" + "malicious" + "other" + "suspicious" + "tracking-telemetry" + ]; + loading = { + concurrency = 16; + strategy = "failOnError"; + }; + }; + }; + }; + + networking.firewall = { + allowedTCPPorts = [ 53 443 853 ]; + allowedUDPPorts = [ 53 ]; + }; +} diff --git a/modules/services/blocky/default.nix b/modules/services/blocky/default.nix deleted file mode 100644 index ca58f4f..0000000 --- a/modules/services/blocky/default.nix +++ /dev/null @@ -1,93 +0,0 @@ -{ pkgs, ... }: -{ - services.blocky = { - enable = true; - package = pkgs.blocky; - settings = { - upstreams = { - init.strategy = "fast"; - groups.default = [ - "9.9.9.9" - "149.112.112.112" - ]; - }; - bootstrapDns = [{ - upstream = "https://dns.quad9.net/dns-query"; - ips = [ "9.9.9.9" ]; - }]; - ports = { - dns = 53; - tls = 853; - https = 443; - }; - blocking = { - denylists = { - ads = [ - "https://adaway.org/hosts.txt" - "https://v.firebog.net/hosts/AdguardDNS.txt" - "https://v.firebog.net/hosts/Admiral.txt" - "https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt" - "https://v.firebog.net/hosts/Easylist.txt" - "https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext" - "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/UncheckyAds/hosts" - "https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts" - ]; - malicious = [ - "https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt" - "https://v.firebog.net/hosts/Prigent-Crypto.txt" - "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Risk/hosts" - "https://phishing.army/download/phishing_army_blocklist_extended.txt" - "https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt" - "https://raw.githubusercontent.com/Spam404/lists/master/main-blacklist.txt" - "https://raw.githubusercontent.com/AssoEchap/stalkerware-indicators/master/generated/hosts" - "https://urlhaus.abuse.ch/downloads/hostfile/" - "https://v.firebog.net/hosts/Prigent-Malware.txt" - ]; - other = [ - "https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser" - ]; - suspicious = [ - "https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADhosts.txt" - "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Spam/hosts" - "https://v.firebog.net/hosts/static/w3kbl.txt" - "https://raw.githubusercontent.com/matomo-org/referrer-spam-blacklist/master/spammers.txt" - "https://someonewhocares.org/hosts/zero/hosts" - "https://raw.githubusercontent.com/VeleSila/yhosts/master/hosts" - "https://winhelp2002.mvps.org/hosts.txt" - "https://v.firebog.net/hosts/neohostsbasic.txt" - "https://raw.githubusercontent.com/RooneyMcNibNug/pihole-stuff/master/SNAFU.txt" - "https://paulgb.github.io/BarbBlock/blacklists/hosts-file.txt" - ]; - tracking-telemetry = [ - "https://v.firebog.net/hosts/Easyprivacy.txt" - "https://v.firebog.net/hosts/Prigent-Ads.txt" - "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.2o7Net/hosts" - "https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt" - "https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt" - "https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt" - "https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/android-tracking.txt" - "https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV.txt" - "https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/AmazonFireTV.txt" - "https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt" - ]; - }; - clientGroupsBlock.default = [ - "ads" - "malicious" - "other" - "suspicious" - "tracking-telemetry" - ]; - loading = { - concurrency = 16; - strategy = "failOnError"; - }; - }; - }; - }; - - networking.firewall = { - allowedTCPPorts = [ 53 443 853 ]; - allowedUDPPorts = [ 53 ]; - }; -} diff --git a/modules/services/dns/default.nix b/modules/services/dns/default.nix new file mode 100644 index 0000000..e229da3 --- /dev/null +++ b/modules/services/dns/default.nix @@ -0,0 +1,26 @@ +{ pkgs, ... }: +{ + services.unbound = { + enable = true; + package = pkgs.unbound-with-systemd; + enableRootTrustAnchor = true; + resolveLocalQueries = true; + settings.server = { + interface = [ "0.0.0.0" ]; + port = 53; + access-control = [ "10.44.0.0/16 allow" ]; + harden-glue = true; + harden-dnssec-stripped = true; + use-caps-for-id = false; + edns-buffer-size = 1232; + prefetch = true; + hide-identity = true; + hide-version = true; + }; + }; + + networking.firewall = { + allowedTCPPorts = [ 53 ]; + allowedUDPPorts = [ 53 ]; + }; +} -- cgit v1.2.3